[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 23/163: schannel: make CAinfo parsing resilient to
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 23/163: schannel: make CAinfo parsing resilient to CR/LF |
Date: |
Sun, 05 Aug 2018 12:35:49 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit aa0f41a5fc1086bd5d6700db6645751176dac935
Author: Johannes Schindelin <address@hidden>
AuthorDate: Tue May 22 00:01:08 2018 +0200
schannel: make CAinfo parsing resilient to CR/LF
OpenSSL has supported --cacert for ages, always accepting LF-only line
endings ("Unix line endings") as well as CR/LF line endings ("Windows
line endings").
When we introduced support for --cacert also with Secure Channel (or in
cURL speak: "WinSSL"), we did not take care to support CR/LF line
endings, too, even if we are much more likely to receive input in that
form when using Windows.
Let's fix that.
Happily, CryptQueryObject(), the function we use to parse the ca-bundle,
accepts CR/LF input already, and the trailing LF before the END
CERTIFICATE marker catches naturally any CR/LF line ending, too. So all
we need to care about is the BEGIN CERTIFICATE marker. We do not
actually need to verify here that the line ending is CR/LF. Just
checking for a CR or an LF is really plenty enough.
Signed-off-by: Johannes Schindelin <address@hidden>
Closes https://github.com/curl/curl/pull/2592
---
lib/vtls/schannel_verify.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c
index 26f3ae488..0f44dad42 100644
--- a/lib/vtls/schannel_verify.c
+++ b/lib/vtls/schannel_verify.c
@@ -54,7 +54,7 @@
#define BACKEND connssl->backend
#define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
-#define BEGIN_CERT "-----BEGIN CERTIFICATE-----\n"
+#define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
#define END_CERT "\n-----END CERTIFICATE-----"
typedef struct {
@@ -72,6 +72,10 @@ typedef struct {
HCERTSTORE hExclusiveTrustedPeople;
} CERT_CHAIN_ENGINE_CONFIG_WIN7, *PCERT_CHAIN_ENGINE_CONFIG_WIN7;
+static int is_cr_or_lf(char c)
+{
+ return c == '\r' || c == '\n';
+}
static CURLcode add_certs_to_store(HCERTSTORE trust_store,
const char *ca_file,
@@ -178,7 +182,7 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store,
current_ca_file_ptr = ca_file_buffer;
while(more_certs && *current_ca_file_ptr != '\0') {
char *begin_cert_ptr = strstr(current_ca_file_ptr, BEGIN_CERT);
- if(!begin_cert_ptr) {
+ if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[strlen(BEGIN_CERT)])) {
more_certs = 0;
}
else {
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 02/163: schannel: disable manual verify if APIs not available, (continued)
- [GNUnet-SVN] [gnurl] 02/163: schannel: disable manual verify if APIs not available, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 12/163: checksrc: fix too long line, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 04/163: schannel_verify: fix build for non-schannel, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 07/163: openssl: acknowledge --tls-max for default version too, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 13/163: curl_fnmatch: only allow two asterisks for matching, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 09/163: stub_gssapi: fix numerous 'unused parameter' warnings, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 10/163: examples/progressfunc: make it build on older libcurls, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 01/163: schannel: disable client cert option if APIs not available, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 05/163: tests/libtest/Makefile: Do not unconditionally add gcc-specific flags, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 15/163: configure: replace AC_TRY_RUN with CURL_RUN_IFELSE, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 23/163: schannel: make CAinfo parsing resilient to CR/LF,
gnunet <=
- [GNUnet-SVN] [gnurl] 35/163: schannel: add failf calls for client certificate failures, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 25/163: tftp: make sure error is zero terminated before printfing it, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 06/163: bump: start working on the pending 7.61.0, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 20/163: KNOWN_BUGS: mention the -O with %-encoded file names, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 22/163: CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 11/163: docs: mention HAproxy protocol "version 1", gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 16/163: configure: compile-time SIZEOF checks, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 34/163: winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 18/163: curl: added --styled-output, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 14/163: docs: clarify CURLOPT_HTTPGET somewhat, gnunet, 2018/08/05